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[57] ABSTRACT 

A firewall for isolating network elements from a publicly 
accessible network to which such network elements are 
attached. The firewall operates on a stand alone computer 
connected between the public network and the network 
elements to be protected such that all access to the protected 
network elements must go through the firewall. The firewall 
application running on the stand alone computer is prefer- 
ably the only application running on that machine. The 
application includes a variety of proxy agents that are 
specifically assigned to an incoming request in accordance 
with the service protocol (i.e., port number) indicated in the 
incoming access request. An assigned proxy agent verifies 
the authority of an incoming request to access a network 
element indicated in the request. Once verified, the proxy 
agent completes the connection to the protected network 
element on behalf of the source of the incoming request. 

1 Claim, 5 Drawing Sheets 
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FIREWALL SYSTEM FOR PROTECTING on a computing system on the premises of the business or 

NETWORK ELEMENTS CONNECTED TO A institution providing the homepage, or by contracting to 

PUBLIC NETWORK have the homepage built and supported on the computing 

facilities of an Internet Service Provider (ISP). The assignee 

This is a continuation of application Ser. No. 08/595,957, 5 of the present application, Scientific Research Management 

filed Feb, 6, 1996, U.S. Pat. No. 5,826,014. Corporation (SRMC), is an Internet Service Provider. 

Use of a company's computing system for support of a 
publicly accessible system, such as a Web site, can present 
The present invention relates to a system for protecting a threat to the company's internal systems that share the 
network elements connected to a public network from access 10 same computing platform, or are connected to the publicly 
over the public network, and more specifically, to a firewall accessible computing platform. Furthermore, in cases where 
system for protecting network elements connected to the sensitive information is transmitted over the Internet to a 
Internet. company, such information is usually stored on the same 
The Internet has experienced, and will continue to computing system that is used for running the on-line 
experience, explosive growth. As originally designed, the 15 Internet system. For instance, some businesses now publish 
Internet was to provide a means for communicating infor- homepage catalogs offering services and products for sale. A 
rnation between public institutions, particularly universities, user can selec t products or services from a homepage 
in a semi-secure manner to facilitate the transfer of research catalog in an interactive session. After selecting the desired 
information. However, with the development and provision products or services, the homepage may present a payment 
of user friendly tools for accessing the Internet, such as the 20 screen inviting the user enter credit card information. Han- 
World Wide Web (the Web), the public at large is increas- dlin g of such information over a public network such as the 
ingly turning to the Internet as a source of information and Internet, requires some measure of security to prevent the 
as a means for communicating. information from being intercepted. However, a more 
Hie Internet's success is based, in part, on its support of „ c important consideration is maintaining the security of such 
a wide variety of protocols that allows different computers 25 ""formalion once it is received and stored in a computing 
and computing systems to communicate with each other. All s y stem lnat 15 connected to the Internet, 
of the Internet-compatible protocols, however, find some Most computer crime is not in the form of data 
basis in the two original Internet protocols: TCP interception, but involves a network intruder, or "hacker" 
(Transmission Control Protocol) and IP (Internet Protocol). entering a publicly-accessible computing system and sub- 
Internet protocols operate by breaking up a data stream into verting security systems to access stored information. In the 
data packets. Each of data packet includes a data portion and recent past there have been several publicized cases where 
address information. The IP is responsible for transmitting hackers have stolen proprietary information from purport- 
the data packets from the sender to the receiver over a most edly secure computers over the Internet, 
efficient route. The TCP is responsible for flow management 3S In many cases where a publicly accessible application, 
and for ensuring that packet information is correct. None of such as a homepage, is set up on a business or institution's 
the protocols currently supported on the Internet, however, premises, it is grafted onto an existing computing system, 
provides a great degree of security. This factor has hindered The existing system also may contain other computing 
the growth of commercial services on the Internet. resources such as data bases, and/or internal network sys- 
The government, in learning of the Internets limited 40 terns that are not intended for public access. Provision of a 
transmission security capacity, has resorted to encoding publicly accessible on-line system, such as a Web server, on 
secure messages using complex encryption schemes. The such a system can provide a scenario that can be exploited 
government abandoned consideration of the Internet for high by network intruders who may attempt reach systems 
security information, relying instead on privately operated beyond the Web server using it, or other systems bundled on 
government networks. The general public, without such 45 the computing platform, as access paths. A company or 
concerns, has come to increasingly use the Internet. institution may attempt to protect these surrounding systems 
Furthermore, businesses having recognized the increasing by password protecting them, or by concealing them from 
public use of, and access to the Internet, have turned to it as the public with a system called a firewall, 
a marketing mechanism through which to disseminate infor- Password protected systems are well known. However, a 
mation about their products, services and policies. 50 password prompt announces the presence of proprietary 
A popular way for commercial institutions to supply systems and may be an invitation for a hacker to investigate 
information over the Internet is to establish a homepage on further. Because password systems are widely known, they 
an Internet multi-media service known as the World Wide are somewhat susceptible to hackers who have developed 
Web. The World Wide Web ("Web") provides a user- techniques for cracking, bypassing or subverting them, 
accessible platform that supplies information in text, audio, 55 Using conventional desktop computers, hackers have been 
graphic, and video formats. Each homepage document can known to decipher passwords of reasonable lengths in a very 
contain embedded references to various media. A Web user short period of time. Provision of longer passwords may 
can interactively browse information by responding to entry thwart a hacker's attempts, but at the expense of user 
prompts nested in a screen within a homepage. Web docu- convenience. 

ments are accessed by using a TCP/IP compatible protocol 60 The term "firewall" was coined in the computer network 

called HyperText Transfer Protocol (HTTP). A user logged environment to describe a system for isolating an internal 

onto the Internet can access a "Web site" by supplying the network, and/or computers, from access through a public 

Web site's address (e.g., "http://srmc.com"). Entry of such network to which the internal network or computers are 

an address establishes a session between the user and the attached. The purpose of a firewall is to allow network 

Web site. 65 elements to be attached to, and thereby access, a public 

Provision of a Web homepage involves establishing a user network without rendering the network elements susceptible 

accessible file at a Web site. The Web site can be established to access from the public network. A successful firewall 
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example, a packet associated wiiii ihe Telnet service has a 

act with the public network elements without rendering the port number of 23, and the HTTP service is assigned port 

network elements susceptible to attack or unauthorized number 80. These port number designations are merely 

inquiry over the public network. As used herein, the term industry suggested, a packet containing a port designation of 

"network element" can refer to network routers, computers, 5 23 need not necessarily be associated with Telnet services, 

servers, databases, hosts, modems, or like devices that are When the OS or monitoring application receives a request 

typically associated with a computer network. on a particular port, a connection is opened on that port. A 

~ . . . it program for managing the connection is then initialed, and 

Ok technique used by firewalls to protect network ele- f he * flrewall starts V gateway application, or proxy, that 

ments is known as packet filtering. A packet filter inves- vai;datcs thc conncction st H owcver, such a system is 

Ugates address information contained in a data packet to id vu , Qerable and inefficienl bccause of ^ resource intensive 

determine whether the packet machine, trora which the nf w „ • . 

. . , j ■ | ■ . f j * it j .j T r*L nature oi the processes uivolved. 

packet originated, is on a list of disallowed addresses. If the TT , , r , . . , , 

. ,. . , . . , „ j . Hackers have been known to inundate a port with large 

address is on the list, the packet is not allowed to pass. . . . F & 

numbers of slightly varying access requests in an attempt to 

One problem with packet filtering is that when unknown slip a packet by aQ application gateway or proxy . ^ 

address information is encountered in the filtering check method of attack ^ laawn M a ((denial of aUack „ 

(i.e the packet's address * not on the list), the packet is Thc rcsp0QSC tQ such aQ attack ^ tQ faavc tfac QS shut 

usually allowed to pass. This practice of allowing unknown down the targeted rt for a pcfiod of timc ^ defcnsc 

packets to pass is based on an Internet design philosophy rcsponsc is nccessitatcd by mc inefficiency of conventional 

that promotes the ease of information transfer. Hence, most porl processing. The chain of processes associated with 

firewall systems utilizing packet filtering operate on an mon itoring, managing, and verifying port connections is 

"allow to pass unless specifically restricted" basis. This very inefficient. A denial of service attack can unduly burden 

practice is invoked with the perception that the packet will system resources. Consequently, the conventional defense is 

eventually be recognized and appropriately routed down t0 have the os ^ down the port fof a iod of time ^ 

stream of the packet filter. However this practice provides security technique prevents entry into a system through that 

hackers with a means with which to bypass a packet filter. port and reslores tne avai i abilit y of system resources. 

Hackers have developed a technique known as "source However, it also prevents a user behind the firewall from 

based routing ""packet spoofing," or "IP spoofing" wherein accessing the port that has been shut down. Hence, this 

address information within a fabricated packet is manipu- security measure is unacceptable. 

lated to bypass a packet filter. All network elements that are 3Q Another problematic aspect of conventional firewall 

addressable over the Internet have an address consisting of arrangements, from a security perspective, is the universal 

four octets separated by periods. Each of the octets is an practice of combining a firewall with other packages on a 

eight bit sequence representing a decimal number between same computing system. This arises in two situations. The 

zero and 255. A host computer on the Internet might have an fi ret is where the firewall package, in and of itself, is a 

IP address: 19.137.96.1. Source based routing involves a 35 combination of applications. For example, Trusted Informa- 

hacker inserting an address of a machine that resides tion Systems's recently released Gauntlet application is a 

"behind" a firewall into the source address field of a ficti- combination Web server and firewall The second situation 

tious packet. Such a packet can usually pass through a is the aforementioned practice of hosting publicly accessible 

firewall because most firewalls are transparent to messages and/or unrelated services on a same computing platform that 

that originate from behind the firewall, because the firewall 4Q supp0 rts the firewall. The services sharing the platform with 

assumes that such messages are inherently valid. To prevent tnc firewall may include E-mail, Web servers, or even the 

this type of packet spoofing, the packet filter's list of system that the firewall is set up to protect (e.g., a database), 

disallowed addresses includes the addresses of elements s i tua tion was discussed briefly above with respect to 

residing behind the firewall. many companies' practice of grafting a firewall application 

Another packet spoofing technique involves setting the 45 onto their existing computer systems, 

"session active" bit of a packet. By setting this bit in a pr0 vision of applications on top of, or in addition to, 

packet, a packet filter receiving the packet assumes that a trjc firewall on a computing system provides a path through 

valid session has already been established, and that further wn ich a hacker can get behind the firewall. This is done by 

packet filtering checks are not necessary, thereby allowing using t he unrelated applications to attack the firewall, or to 

the packet to pass. Aspoofed packet having its session active 50 directly connect with network elements being protected by 

bit set can contain an "establish connection" message. Such the firewall. The firewall may fail to recognize the attack 

a packet can be used to establish a session with a machine because the application being exploited by the hacker is 

behind the firewall. authorized to communicate through the firewall. In addition, 

Additional packet filtering techniques involve invesliga- the firewall might not be able to protect against unexpected 

tions of data portions of packet to determine whether there 55 flank attacks from shared applications because it is set up 

are any suspect contents, and or investigations of suspect specifically to monitor requests from a designated publicly 

protocol designations. However, the drawback of these and accessible application. Alternatively, the shared application 

the aforementioned packet filtering schemes is that, when may be used to completely bypass the firewall and attack, or 

used in combination, they are cumbersome. This practice directly connect to, a protected network element, 

impairs the speed with which packet filters do their job. 60 An example of a conventional firewall arrangement is 

Conventional firewalls also may use an application depicted in FIG. 1. A host computer 100 communicates with 

gateway, or proxy system. These systems operate on the a institutional computer system 106 over a public network 

basis of an application, or a computing platform's operating 102. through a router 104. A router is a network element that 

system (OS), monitoring "ports" receiving incoming con- directs a packet in accordance with address information 

nection requests. A port is a numerically designated element 65 contained in the packet. The institutional computer system 

contained in the overhead of a packet. A port number 106 supports a variety of applications including a Web 

indicates the nature of a service associated with a packet. For server 108, and an E-mail system 114. A firewall system 110 
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also is hosted cr, the institutional computer 106 to protect a In a piefeueu ciuuuuiuiem the firewaii box is a siand 

port 112 that connects an internal network 116 to the alone computing platform dedicated to supporting a firewall 

institutional computer system 106. The internal network 116 application. No other applications, services or processes, 

may support communication between internal terminal(s) other than those related to support of the firewall application 

118 and a database 120, possibly containing sensitive infor- 5 (e.g., an operating system), are to be maintained on the 

mation. Such a firewall system 110, however, is subject to dedicated firewall box. 

attack in many ways. The firewall application running on the firewall box is 

A hacker operating the host computer 100 can utilize comprised of a plurality of proxy agents. In a preferred 
publicly accessible applications on the institutional com- embodiment, individual proxy agents are assigned to des- 
puter system 106, such as the Web server 108 or the E-mail 10 ignated ports to monitor, respond to and verify incoming 
system 114, to flank attack the firewall system 110 or access requests (i.e., incoming packets) received on the port, 
connect to the internal network port 112. The Web server Port management by the OS or port management programs 
108 or the E-mail system 114 may have authority to attach is limited to simply assigning an appropriate proxy agent to 
to and communicate through the firewall system 110. The an incoming access request on a port. The assigned proxy 
hacker might be able to exploit this by routing packets 15 agent immediately verifies the access request before a con- 
through, or mimicking these network elements, in order to nection is formed. Using simple verification checks, the 
attach to, attack, or completely bypass the firewall system proxy agent determines the authority of the access request, 
110. quickly and efficiently discarding unauthorized requests 

Most conventional firewalls are transparent to packets without ™My burdening system resources. If the access 

originating from behind the firewall. Hence, the hacker may 20 re 1 uest * authorized, the assigned proxy agent opens, and 

insert a source address of a valid network element residing thereafter manages, the port connection. In this way, the 

behind the firewall 110, such as the terminal 118, to a proxy agent is able to repel denial of service attacks without 

fictitious packet. Such a packet is usually able to pass resorting to shutting down the port, 

through the firewall system 110. Alternatively, the hacker In a preferred embodiment, a proxy agent is assigned to 

can set the session_active bit in the fictitious packet to pass 25 a request based on the service associated with an access 

through the firewall 110. The packet can be configured to request (e.g., the Telnet port number is indicated). Each 

contain a message requesting the establishment of a session proxy agent is thus protocol sensitive to the particular 

with the terminal 118. The terminal 118 typically performs service requirements of an incoming request and can 

no checking, and assumes that such a session request is respond with appropriately formatted messages. However, if 

legitimate. The terminal 118 acknowledges the request and 30 the protocol of an access request is not configured in 

sends a confirmation message back through the firewall accordance with the protocol normally associated with that 

system 110. The ensuing session may appear to be valid to port, the request is discarded. If proper, the proxy agent can 

the firewall system 110. then initiate a set of verification checks to ensure the 

The hacker can also attempt to attach to the port 112. A 35 authority and authenticity of the access request, 

conventional application gateway system forms a connec- Verification tests performed by a proxy agent can involve 

tion to the port before the firewall 110 is invoked to verify any variety of checks, including, but not limited to: deter- 

the authority of the request. If enough connection requests minations of valid destination addresses; determination of 

hit the port 112, it may be locked out for a period of time, valid user, or user/password information; validity of an 

denying service to both incoming request from the public 4Q access in view of the time period of the access; presence of 

network, and more importantly, denying access to the inter- executable commands within an access request; or any 

nal network 116 for outgoing messages. It is readily apparent combination of the latter, or like determinations. Such tests 

that conventional firewall systems, such as the one depicted are not performed in conventional firewall systems, 

in FIG. 1, are unacceptably vulnerable in many ways. Upon confirming the validity of an incoming access 

It is readily apparent that the design and implementation 4S request, a proxy agent initiates the connection to a network 

of conventional firewalls has rendered them highly vulner- element indicated in the access request, or in response to a 

able to hacker attack. What is needed is a true firewall prompt issued to a user, on behalf of the incoming access 

system that overcomes the foregoing disadvantages and is request. This has the effect of shielding the identity of 

resistant to hacker attack. network elements on each side of the firewall from a hacker 

5Q who taps a connection on either side of the firewall. The 

SUMMARY firewall also can be used in combination with a packet 

The present invention overcomes the foregoing disadvan- a f mm t0 P rotecl a 6 ainst IP s P oofin g and 

tages by providing a firewall system that is resistant to ^ rou ing ' 

conventional modes of attack. A firewall in accordance with BRIEF DESCRIPTION OF THE DRAWINGS 

the present invention is a stand-alone system that physically 55 ^ . . . . ^ j 

resides between a point of public access and a network ™ e Agoing, other objects, features and advantages 

element to be protected. A firewall arrangement in accor- of the P^nt invention will be more readily understood 

dance with the invention operates on a computing platform u P° n * he foUowm S deSCnptl0D 10 COnjUnC - 

that is dedicated to the operation of the firewall Such a tlon Wllh the drawin 8 s in wmch: 

dedicated firewall computing platform is referred to herein 60 FIG - 1 de P lcts a computer network arrangement having a 

as a "firewall box." The firewall box is connected to a conventional firewall arrangement; 

protected network element by a single connection. FIG. 2 depicts an exemplary computer network arrange- 
Consequently, any communication from a publicly acces- ment including a firewall arrangement incorporating the 
sible network element to a protected network element must present invention; 

pass through the firewall box. A network element, or 65 FIG. 3 depicts another exemplary computer network 

elements, to be protected by the firewall are connected to the arrangement including a firewall arrangement incorporating 

backside of the firewall. the present invention; and 
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FIGS. 4A and 4B depict a uuw uia^iaiij depicting mi sei of verification tests. The rigorousness of the tests can be 

exemplary process incorporating the present invention. dictated by the characteristics of the access request. For 

DETAILED DESCRIPTION instance, the source address of an access request can be 

investigated to determine whether the request is suspect or 

FIG. 2 depicts a block diagram of an exemplary system 5 cre dible. An inherently reliable request may require only a 

incorporating the invention. Network elements in the form minimurn of verification before being connected. While a 

of a terminal 216 and a secure database 218 are connected suspect request may require enhanced verification. Access 

to an internal network 214 that is protected behind a firewall fequesl verificatioa can include analysis of: hosl 

210. The connection 212 between the internal network 214 machine and user in f orm ation; destination host 

and the firewall 210 is preferably the only connection 10 machine and destination user information; and/or time of 

between these two elements. A publicly accessible comput- day analysis or other tests can be imeractive in nature 

ing system is connected to a public network 202 through a arid prompt a source ^ to enter user/password informa- 

router 204. A connection 208 between the firewall 210 and tion In some cases a ^ may ^ required t0 erjter a valid 

the publicly accessible computing system 206 is preferably dest i na tion machine address or ID. In accordance with 

the sole connection between the firewall 210 and the pub- 15 cxemplary embodiments of the invention any combination 

hcly accessible system 206. By providing the firewall 210 in of thc f oreg oing, or other, tests can be performed by a given 

this stand alone configuration, any and all access from the proxy agent depending on the verification requirements of a 

public network 202 to the internal network 214 must go particular incoming access request. 

through the firewall 210. Hence, a user operating a host A j . m j j • r 1 

• > * nA , . . ' . y . , * , A more detailed depiction of an exemplary system in 

machine 200 who attempts to access the internal network 9n , r , . 1 J . ' „ , 

-1 . . , t K , - „ 20 accordance with the present invention is shown in FIG. 3. 

214 via the public network 202 must go through the firewall ™ -n . * . 1 • • 1 • 

iin TU- * • u * *u 1 The figure illustrates a network scenario involving commu- 

210. This arrangement is more robust than conventional ... ... . 1 i. * . a 

- 11 . 7. . 4 t_ * . j nication over a public network 306, such as the Internet. An 

firewall systems that are susceptible to being bypassed either . 4 . , r . ., * 1A : ^ , , A iL ... 

. . *- i- *■ . . zL c. 11 institutional service provider 31U is attached to the public 

physically or through applications sharing the firewall com- , . - Ar 4 . u r t - AO ™ . ..^ t . , r . 

v * * tf network 306 through a router 308. The institutional service 

, _ , ' , r . . , „ , 25 provider 310 has a publicly accessible network 312. A user 

In preferred embodiments of the invention the firewall m ati a host computer 302 can access the publicly 

210 runs on a dedicated firewall box. That is, the computer acccssiblc nelwork 312 lh h the blic nctwork 306 (via 

upon which the firewall 210 is running, is dedicated to the fomers 304 md m , respectively), 

firewall application. The processes, programs and applica- ™ . . . , . . J _ , ir , n , 

tions running on the firewall computing platform are those 30 A ^ 1DStlt ^ tl0nal service P r ™ der 310 m ^ c a ° * S ™ at 

involved with firewall processes, or their support (i.e., the deve !°P s software on internal computers 324 and 326 for 

computer's operating system). Consequently, there is totnbution and sale Free software can be supplied to users 

reduced risk of the firewall being bypassed through appli- who ac ff s a P ubh < [™J server 314 on ' the eternal publicly 

cations sharing the firewall's computing platform. The addi- ™^ networt The insbtubonal user 310 also may 

tion of other, unrelated, applications to the firewall box 35 P r ° vidc Ration ab ™t its products or services by estab- 

merely compromises the integrity of the firewall. ^ in S a hom , c P a S e on th J; P ubhcl y a ^ ssible Wcb ^ 

THe firewall 210 application is comprised of a variety of 31 ^. Tb p e P^ ^cly accessible network 312 also may have a 

V /K r ~ . t . . public E-mail system 316. Authorized subscnbers may be 

access request validation programs referred to herein as j t * * «■ j 

"proxy agents." Proxy agents investigate incoming requests f . t0 ^ .FpPnetary software offered on a pro- 

v\ 1. .ii * a- u w a .u tected Web server 322 by accessing the institution s internal 

that seek to access network elements residing behind the 40 * 1 110 *n. • . 1 * 1 «o 1 i_ 

c 11 ha rr, c • ■ * network 328. The internal network 328 also can have a 

firewall 210. The nature or incoming access requests can r 4 c . . , . 4 . 

,. , _ & • < ..t™, secure E-mail system 320 for internal communication. The 

vary according to a particular port, or service (e.g., HTTP, . . . . J . . . , - ... . 

t 1 . ^ en. 1 /i^rnw *u * *u • • internal network 328 is protected from public access by a 

Telnet, File Iranster Protocol (rIP)) that the incoming a „ . . .. * ■ *■ 

, t l * * j- 1 „l c n nn nrewall 318 incorporating the present invention, 

request seeks to attach to. Accordingly, the firewall 210 r t> r 

application assesses the characteristics of an incoming 45 The firewaU 318 P ermits the internal DCtwork 328 to be 

request and assigns an appropriate proxy agent tailored to attached to ^ P ublic nctwork 306 (trough the publicly 

the particular protocol and verification requirements of that accessible network 312) without rendering the secure net- 

incoming access request. In a preferred embodiment, there is work 328 °P cn t0 P ublic acccss * ^ firewaU 318 ' m 

a designated proxy agent for each port. The proxy agent accordance with preferred embodiments of the invention, 

assigned to a port performs all of the verification processes 50 P h y sicall y separates the publicly accessible network 312 

and management of the port without involving the operating from lhe internal network 328, Consequently, all communi- 

system, or a port manager (as in conventional systems). cations attempting to access the internal network 328, or any 

Because it is dedicated to a particular port, a proxy agent is network elements attached theret0 > must P ass throu fi h the 

capable of providing a more efficient handling of an incom- firewa11 318 - To il from direct ( [ ^> keyboard) access, 

ing request from both a protocol and a verification stand- 55 the firewall 318 is preferably maintained in a secure location 

point. The proxy agent makes an immediate verification 00 the premises of the institution 310. 

check of an access request before initiating a port connec- The firewall 318 can run on a general purpose computer, 

tion. If the access is deemed suspect, it is immediately Such a computer, in accordance with preferred 

discarded. The use of proxy agents is more efficient than embodiments, is a stand alone machine, or firewall box, 

conventional chained processes involving OS based verifi- 60 dedicated to the firewall application. The addition of other 

cation routines and port management programs that are programs to the firewall box merely undermines the strength 

generic to incoming access requests. By immediately check- of the firewall 318. Such additional programs can be used to 

ing for and discarding suspect packets, the proxy agent is bypass, or attach to and attack the firewall 318. 

capable of resisting denial of service attacks without having The firewall application comprises a plurality of proxy 

to shut down the port. 65 agents that are assigned to investigate and handle an incom- 

In accordance with another aspect of exemplary embodi- ing access requests. A proxy agent is preferably assigned in 

merits of the invention, a proxy agent can include a tailored accordance with a port number designation indicated in a 
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req'aesi, Tuc assigned piuxy agem processes the access network eiemenis during cenain periods (e.g., between 7:00 

request, forms the connection, if verified, and manages the am and 5:00 p.m. U.S. pacific standard time). The time 

completed connection. A designer can dictate what set of period check can include any combination of time of day, 

verification tests are to be run on a particular incoming day of week, week of month, month of year, and/or year. 

request. For instance, an assigned proxy agent can first 5 A fourth check can be invoked tQ dcterminc whether the 

check to ensure that the protoco of the access request destination address indicated b an acccss t ^ autho . 

matches that of the indicated port. If there is a discrepancy. -jtu ui u _r jl • • i . 

4 . . ... - * .li * i nzed. Inis check can be performed by examining packet 

the request is denied. A next check can involve investigation A 4 . ,« . c \. v. , ° \. 

r. ^ . c .. \ 4 . destination address information, or possibly by prompting a 

of a source address (i.e., the host machine from which the t . . r r- i • i-i ^ r 

■ ■ . 2\ t.L . user to enter the information. For example, in File Transfer 

access inquiry originated) of the access request. This permits , n , i /i-m\ * *u L • j» 

, ^ J & . 7 . . . . M * t. l 10 Protocol (FTP) requests, the user may be required to enter 

the proxy agent to make an initial assessment of the authen- 4 , , 4 . t . , t( ™_ ;»,\ • 

. . r / .° » /» . . . ... the destination address (e.g., usemame@host ) in response 

ticity of the request. If a particular source has a higher t ^ „ t n t . : ,/ . - 7 4 r 

iii-'i'* r . i . / I to a prompt generated by the assigned proxy agent, 

probability of generating suspect packets (e.g., an unknown 4 , , . , 

university computer) a proxy agent can optionally invoke a A P rox y a S ent 030 also run tests ,hat iaiGTCC ^ and discard 

more rigorous series of verification tests. However, if the t , any messages that attempt to initiate a process on the firewall 

source is inherently secure (e.g., a firewall protected 3 ™ ^ F ™ cxam P lc ' a conventional system having 

machine at a company's headquarters communicating with .? p P hc ™ ma y 1DcIudc aQ application such as 

their R&D site) the proxy agent might proceed directly to SendMail. SendMail, ui addition to providing mail delivery, 

connecting the incoming request with a destination host also ™ ntams f eatures for collecting and tracking source and 

machine. Once the source is determined, the proxy agent can 20 d ^ Una ,T * £o ™ atl °n of mai1 messages The ^formation 

run an appropriate combination of verification checks suited denved ^ a ha <* er {h ™Z h execution of such SendMail 

to the integrity of the request as indicated by its source. In commands can be used to gam access to secure network 

the event that a legitimate user is accessing a protected elements * Hence a proxy agent in accordance with the 

network element using suspect computer (e.g., a visiting mvenUon can ™lude, within its set of tests, a check for 

professor logging on to a university's host computer rather 2S fe " etm S out f^f* 1 ^ P ackets havm S nested execut- 

than his or her office computer) it may be advantageous to able commands. A firewall incorporating the invention can, 

allow such a user through, but only after a more rigorous set however > f ™ M ** the i communication of normal electronic 

of interactive verification tests. However, the packet source messages Hence, valid mail can be passed through the 

address need not necessarily dictate the particular combina- fire ^ a11 318 t0 aD mteraal E ' mai1 s y stem 320 rf ° th erwise 

tion of verification tests performed by the proxy agent. A 30 autD °nzeo. 

proxy agent can have a fixed set of verification tests based The checks described do not represent an exhaustive list 

on the port designation. The particular selection of verifi- of available verification checks. They merely represent a 

cation checks is discretionary. Several such checks are variety of access validation checks and are described to 

described below assist in describing exemplary embodiments of the inven- 

Sourceaddressverificationcanbebasedonacheckofthe 35 tion ' ^ Particular combination of tests is discretionary, 

validity of on or more specific addresses, or, on a range of 0ther ****** can be added " deemed fit or necessary for a 

address values (e.g., the first octet has a value of between particular scenario. 

zero and 100). Such a check involves a determination of After a proxy agent successfully completes its set of one 
whether a host source address of an incoming packet com- or more verification tests, the proxy agent initiates a con- 
ports with a list of authorized or unauthorized addresses, or 40 nection request to the destination machine (and port) on 
is within a designated range. If the source address is not on behalf of the incoming access request. The purpose of this 
the list, the packet is discarded. Referring back to FIG. 3, in practice is to maintain anonymity on each side of the 
the event that the external user 300 attempts to contact a firewall. A party tapping either of the connections entering 
network element behind the firewall 318, the proxy agent or exiting the firewall only "sees" the elements on each side 
can check the source address of the host computer 302. If the 45 of the tap, but not those beyond the tap. 
proxy agent determines that the host computer 302 does not In accordance with another aspect of exemplary embodi- 
have an authorized address, the request originating from the ments of the invention, security is supplemented by per- 
host computer 302 is discarded. forming packet filtering on incoming access request packets. 

A second check can be used to determine the authority of Such packet filtering can be provided either by the operating 

an access request based on the identity of a user seeking to 50 svstem °f me firewall box, or by a router, such as router 308. 

gain access. This may involve interactively prompting the In accordance with preferred embodiments, the packet fil- 

user 300 to enter either a user name, or a user/password tering is directed to eliminating source based routing, 

combination. Because the proxy agent is protocol sensitive, Therefore, the packet filter maintains a list of addresses 

it is designed to issue prompts in accordance with the format corresponding to network elements residing behind the 

indicated by the port number of the incoming access request. 55 firewall 318. If any incoming access request has a source 

A particular user may have limited access, in which case the address of a network element behind the firewall 318, that 

user may be prompted to enter the address of the destination packet will be intercepted and discarded, 

machine to be accessed. If the proxy agent determines that FIGS. 4A and 4B depict a flow diagram of an exemplary 

the user is not authorized to access the requested destination process for analyzing an access request received at the 

machine, the user can be re-prompted to enter another eo firewall 318 of FIG. 3. The process described is merely 

destination machine, or the request can be discarded alto- exemplary, and any combination of checks or steps may be 

gethcr. performed in accordance with a selected combination of 

A third check can be performed to determine whether the checks. Furthermore, the order of step execution can be 

time period during which an access request is being made is altered as needed for a particular scenario, 

authorized in and of itself, or for a particular user, source 65 Consider the situation where the user 300 in FIG. 3 is 

address, or destination address indicated in the request. For authorized to access the Web server 322 that resides behind 

example, the check can permit access to a certain class of the firewall 318. To access the Web server 322, the user 300, 
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operating the host computer 3U2, first logs onto to a public 
network (step 400), that is compatible with TCP/IP proto- 
cols. To access the Web server of the institution 310, the user 
300 enters an appropriate address (step 402), such as 
"http:Wwebwho.com". The access request is received by a 
router 304 which forwards the message to the Internet 306. 
The Internet may forward the message through a series of 
routers and present it to a router 308 that services the 
institution 310. 

Because the access request seeks to access a destination 
address residing behind the firewall 318, the access request 
message is presented to the firewall 318 (step 404). In 
accordance with an exemplary embodiment, a proxy agent 
running on the firewall 318 is assigned to the access request 
in accordance with a preliminary analysis of the port number 
designation within the packet representing the access request 
(step 406). In this case, port number 80 (HTTP) would 
ordinarily be designated in the request. The assessment also 
can involve a determination of whether the service indicated 
by the port number comports with the contents of the request 
(step 408). That is, does the request indicate one service 
(port number) while being formatted for another. If there is 
disparity, the access is denied (step 410). 

The proxy agent can then analyze a source address to 
determine whether the host computer 302 from which the 
message originated is authorized to access the secure Web 
server 322 (step 412). As described above, this check can be 
used to optionally invoke a more rigorous set of verification 
checks if the source is unknown or suspect. This assessment 
can involve a comparison of the source address with a list of 
authorized or unauthorized addresses maintained by the 
proxy agent (step 414). In the exemplary case here, if the 
source address is not authorized (i.e., the source address is 
not on the list), the access request is denied (step 416). The 
extent to which a proxy agent verifies the validity of an 
access request can vary. It should be noted that in some 
cases, a proxy agent may need do little more than verify 
address information before initiating a connection to the 
destination device on behalf of the source host. 
Alternatively, if a source address is suspect, or a proxy 
agent's set of checks is fixed, the proxy agent can perform 
additional checking. 

In the present exemplary scenario the access request 
message is further analyzed to determine whether the access 
request is being received during an authorized time period, 
such as a time of day (step 418). If the time of day during 
which the access request is received is not authorized, the 
connection request is denied (step 420). The time of day 
assessment can be tailored for specified users, source host 
machines, and/or IP addresses. For example, to prevent 
evening hacking by users in Canada, North, and South 
America, such users may be denied access other than during 
normal U.S. business hours. A user in India, however, 
operating during Indian daylight hours, may be allowed to 
access the system during U.S. evening hours. 

A proxy agent also can assess whether user or user/ 
password information is necessary to gain access (step 422). 
If not, the proxy agent can initiate the connection (step 424). 
If the information is required, the proxy agent prompts the 
user with an appropriately formatted message to enter a 
use ma me and/or password information (step 426). The user 
name and/or password information is checked (step 428). If 
an unauthorized user name is entered, or the password is 
invalid, the access request is denied (step 430). If a valid 
user name, or user/password combination is entered, the 
proxy agent can make further assessments, if deemed nec- 
essary or appropriate, to determine whether the host machine 
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3U2 is authorized to access the particular destination (e.g. 
Web server 322) (step 432). If not authorized, the access is 
denied (step 434). An additional proxy agent check can 
determine whether the particular network element to which 

5 the user 300 is attempting to gain access to is available to the 
particular user (step 436), If not authorized, the access 
request is denied (step 438), 

If after the proxy agent has completed its set of tests it is 
determined that the access request is authorized, the proxy 

10 agent initiates a connection to the Web server 322 on behalf 
of the source machine 300 (step 440), Because the firewall 
forms a connection (using a proxy agent) following the 
completion of validation checks associated with the proxy 
agent's test set, the firewall functions as a Bastion host, or 

15 firewall server, on behalf of the access request source. By 
using the firewall as a Bastion host, or firewall server, to act 
on behalf of the user accessing the secure network 328, the 
identity of internal network elements is not revealed because 
the firewall 318, acting as an intermediary, shields the 

2D identity of the network elements for whom it is acting on 
behalf of. All the external user sees, in terms of addresses, 
is the firewall. If an internal connection is tapped onto, a 
valid source address or user identity is not available to the 
hacker as the firewall 318 appears to be the source of the 

25 connection. Hence, a firewall arrangement in accordance 
with the invention provides two-way transparency. 

Another aspect of an exemplary embodiment of the 
invention involves sending an "out-of-band" system mes- 
sage in response to a username or useraame/password 

30 combination provided by a user. Such a system involves 
communicating a password, or password portion, back to a 
user on a communication medium other than the computer 
network being used. The user enters the information 
received by out-of-band means to complete a logon process. 

35 For example, a user can be prompted to enter their username 
and the first half of a password. The system receiving this 
information, upon verifying it, sends back the remaining half 
of the password to the user by automatically generating a 
phone call to a beeper provided to the user. The beeper's 

40 display indicates the remaining password portion which is 
then entered by the user to complete the logon. The identity 
of the user is thereby authenticated. A hacker does not 
possess the means to receive the out-of-band response (i.e., 
the beeper). The password, or password portion sent back to 

45 the user by out-of-band means can be a random number 
generated by the firewall system. 

Another aspect of exemplary firewall systems operating in 
accordance with the invention is that all processes, including 
proxy agents, running on the firewall, operate in a "daemon 

50 mode." When a computer operating system receives a 
request to perform a task it will open up a job and designate 
a corresponding job number in order to provide and manage 
resources associated with that job. When the task is com- 
pleted the operating system designates the job for closure. 

55 However, the actual closure of the job and removal of the 
corresponding job number does not always take place imme- 
diately because it is considered to be a low priority task. This 
occasionally leaves an idle job open on the system awaiting 
closure. Hackers have learned that they can exploit such an 

60 idle job, reactivate its status, and access resources available 
to the job. By operating in a daemon mode, the operating 
system of the firewall box immediately shuts down jobs 
following the completion of designated tasks. 
When a computer upon which the firewall is running is 

65 operating in a UNIX environment, there are UNIX-specific 
security measures that can be invoked. One such security 
measure is the "changeroot" feature. A "root" user is a user 
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uaviug ingn icvcis oi access io nies orancning ixom a rooi 
directory." If a network intruder can access a root directory, 
the network intruder may be able to access to the files 
hierarchically emanating from the root directory. In accor- 
dance with another aspect of a secure database system 5 
incorporating the present invention, all jobs running on the 
firewall system and on the secure database system are 
preceded by a "changeroot" command to change the identity 
of the root directory. A new root directory is created by 
execution of this command that can be used for transaction- io 
specific purposes. This new directory does not have access 
to any of the original file directories branching from the 
original root directory. Consequently, if a hacker is able to 
access information associated with a job, corresponding root 
directory data will be useless. 15 

Another aspect of a system in accordance with the inven- 
tion is the use of aliases by the firewall when addressing 
machines residing behind the firewall. A machine behind the 
firewall can be addressed by the firewall according to an 
alias of its actual IP address. Hence, if a hacker is somehow 20 
able to tap the firewall, any addresses detected by the hacker 
corresponding to machines attached to the backside of the 
firewall will be fictitious. 

An additional security feature that can be provided in the 
firewall system is a transaction log. Such a log gathers 25 
information associated with any access request message 
seeking to connect to or inquire about network elements 
residing behind the firewall. Information gathered in such a 
transaction log may include, but is not limited to, the source 
address (what is the identity of the machine from which the 30 
request originated), the IP address (which Internet port 
system did the request originate over), the destination 
address (who is the request trying to reach), time of access, 
and/or the identity of user (who is using the source 
machine). This information can facilitate the identity of a 35 
hacker if the hacker's activities require legal attention. 

The exemplary scenarios described above are directed 
primarily to situations where outside users are attempting to 
access network elements residing behind a firewall. It should 4Q 
be noted, however, that a firewall in accordance with the 
present invention also can be utilized to monitor and control 
packet traffic originating from behind a firewall, allowing 
and disallowing connection based upon predetermined rules. 
Hence, a firewall incorporating the invention also can be ^ 
used to control what, where, who, how and when a user 
behind the firewall can access the outside world. This can be 
done in addition to monitoring and controlling incoming 
traffic. 

Because exemplary embodiments involve the operation of 50 
computing systems, an exemplary embodiment of the inven- 
tion can take the form of a medium for controlling such 
computing systems. Hence, the invention can be embodied 
in the form of an article of manufacture as a machine 



readabie medium such as floppy disk, computer tape, hard 
drive disk, CD ROM, RAM, or any other suitable memory 
medium. Embodied as such, the memory medium contains 
computer readable program code which causes a computing 
system upon which the firewall system is running to function 
or carry out processes in accordance with the present inven- 
tion. 

An exemplary application of the invention has been 
described protecting an internal network. However, one 
skilled in the art will readily appreciate and recognize that 
the firewall system or method of operation in accordance 
with the invention can be applied in any scenario requiring 
the protection of network elements that are attached to a 
publicly accessible medium, such as the Internet. The inven- 
tion provides the benefit of attaching a system to a public 
network with reduced apprehension of that system being 
compromised over the public network. 

The invention has been described with reference to par- 
ticular embodiments. However, it will be readily apparent to 
those skilled in the art that it is possible to embody the 
invention in specific forms other than those of the embodi- 
ments described above. Embodiment of the invention in 
ways not specifically described may be done without depart- 
ing from the spirit of the invention. Therefore, the preferred 
embodiments described herein are merely illustrative and 
should not be considered restrictive in any way. The scope 
of the invention is given by the appended claims, rather than 
by the preceding description, and all variations and equiva- 
lents which fall within the range of the claims are intended 
to be embraced therein. 

What is claimed is: 

1. A firewall system for protecting network elements 
comprising: 

a computing platform having a microprocessor and 
memory storage, wherein said computing platform 
provides access from a network connection to at least 
one network element, wherein said memory contains 
instructions causing said microprocessor to perform the 
steps of: 

initializing a plurality of proxy agents, wherein each of 
said proxy agents is assigned a corresponding port 
number and protocol; 

verifying that incoming connection requests are for- 
matted in accordance with said corresponding pro- 
tocol; 

logging information associated with incoming connec- 
tion requests; and, 

processing received packets to determine the presence 
of executable commands nested within received 
packets, and if detected, discarding said received 
packets. 
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